fix(google-oauth): bypass PKCE for headless token exchange#1101
Closed
teyrebaz33 wants to merge 1 commit intoNousResearch:mainfrom
Closed
fix(google-oauth): bypass PKCE for headless token exchange#1101teyrebaz33 wants to merge 1 commit intoNousResearch:mainfrom
teyrebaz33 wants to merge 1 commit intoNousResearch:mainfrom
Conversation
On headless systems the Flow object that generated the auth URL is no longer in memory when the user pastes the auth code, so the PKCE verifier is lost. This caused 'Missing code verifier' errors from Google's token endpoint. Fix: - get_auth_url(): builds the authorization URL manually without code_challenge / code_challenge_method parameters - exchange_auth_code(): performs a direct HTTP POST to the token endpoint without PKCE instead of using flow.fetch_token() Desktop OAuth clients (installed apps) are not required to use PKCE and Google's token endpoint accepts non-PKCE requests for installed apps. Fixes NousResearch#1093
Contributor
|
Fixed via #1396. The underlying headless/manual OAuth bug was real, but instead of bypassing PKCE we preserved the pending OAuth state and code verifier across and , keeping the library-supported PKCE flow intact. Thanks for surfacing and working on the issue. |
Contributor
|
Fixed via #1396. The underlying headless/manual OAuth bug was real, but instead of bypassing PKCE we preserved the pending OAuth state and code verifier across |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #1093
Problem
On headless systems,
get_auth_url()generates an auth URL viaFlow.authorization_url()which includes PKCE parameters. When the user manually copies the auth code and runs--auth-code, a newFlowobject is created — the original PKCE verifier is lost. Google's token endpoint then rejects the exchange withinvalid_grant: Missing code verifier.Fix
get_auth_url(): builds the authorization URL manually withoutcode_challenge/code_challenge_methodparametersexchange_auth_code(): performs a direct HTTP POST to the token endpoint without PKCE, instead of usingflow.fetch_token()Desktop OAuth clients (installed apps) are not required to use PKCE, and Google's token endpoint accepts non-PKCE requests for installed applications.
Changes
skills/productivity/google-workspace/scripts/setup.py: rewriteget_auth_url()andexchange_auth_code()to avoid PKCEtests/skills/test_google_oauth_setup.py: new test file with 8 tests covering both functions